2021-12-25 21:42:34 +08:00
# 安装 kubedns 插件
2017-04-14 17:39:40 +08:00
2021-12-25 21:42:34 +08:00
官方的 yaml 文件目录:`kubernetes/cluster/addons/dns`。
2017-04-14 17:39:40 +08:00
2021-12-25 21:42:34 +08:00
该插件直接使用 kubernetes 部署,官方的配置文件中包含以下镜像:
2017-04-14 17:39:40 +08:00
2019-10-08 23:28:08 +08:00
```ini
gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1
gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1
gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1
```
2021-12-25 21:42:34 +08:00
我 clone 了上述镜像,上传到我的私有镜像仓库:
2017-04-14 17:39:40 +08:00
2019-10-08 23:28:08 +08:00
```ini
2018-05-04 19:48:54 +08:00
harbor-001.jimmysong.io/library/k8s-dns-dnsmasq-nanny-amd64:1.14.1
harbor-001.jimmysong.io/library/k8s-dns-kube-dns-amd64:1.14.1
harbor-001.jimmysong.io/library/k8s-dns-sidecar-amd64:1.14.1
2017-04-14 17:39:40 +08:00
```
2021-12-25 21:42:34 +08:00
以下 yaml 配置文件中使用的是私有镜像仓库中的镜像。
2017-04-14 17:39:40 +08:00
2021-12-25 21:42:34 +08:00
```ini
2017-04-14 17:39:40 +08:00
kubedns-cm.yaml
kubedns-sa.yaml
kubedns-controller.yaml
kubedns-svc.yaml
```
2017-10-12 10:12:11 +08:00
已经修改好的 yaml 文件见:[../manifests/kubedns](https://github.com/rootsongjc/kubernetes-handbook/blob/master/manifests/kubedns)
2017-04-14 17:39:40 +08:00
## 系统预定义的 RoleBinding
预定义的 RoleBinding `system:kube-dns` 将 kube-system 命名空间的 `kube-dns` ServiceAccount 与 `system:kube-dns` Role 绑定, 该 Role 具有访问 kube-apiserver DNS 相关 API 的权限;
2019-07-08 10:39:21 +08:00
```bash
2017-04-14 17:39:40 +08:00
$ kubectl get clusterrolebindings system:kube-dns -o yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: 2017-04-11T11:20:42Z
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-dns
resourceVersion: "58"
selfLink: /apis/rbac.authorization.k8s.io/v1beta1/clusterrolebindingssystem%3Akube-dns
uid: e61f4d92-1ea8-11e7-8cd7-f4e9d49f8ed0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-dns
subjects:
- kind: ServiceAccount
name: kube-dns
namespace: kube-system
```
`kubedns-controller.yaml` 中定义的 Pods 时使用了 `kubedns-sa.yaml` 文件定义的 `kube-dns` ServiceAccount, 所以具有访问 kube-apiserver DNS 相关 API 的权限。
## 配置 kube-dns ServiceAccount
无需修改。
## 配置 `kube-dns` 服务
``` bash
$ diff kubedns-svc.yaml.base kubedns-svc.yaml
30c30
< clusterIP: __PILLAR__DNS__SERVER__
---
> clusterIP: 10.254.0.2
```
+ spec.clusterIP = 10.254.0.2,即明确指定了 kube-dns Service IP, 这个 IP 需要和 kubelet 的 `--cluster-dns` 参数值一致;
## 配置 `kube-dns` Deployment
``` bash
$ diff kubedns-controller.yaml.base kubedns-controller.yaml
58c58
< image: gcr . io / google_containers / k8s-dns-kube-dns-amd64:1 . 14 . 1
---
2018-05-04 19:48:54 +08:00
> image: harbor-001.jimmysong.io/library/k8s-dns-kube-dns-amd64:v1.14.1
2017-04-14 17:39:40 +08:00
88c88
< - --domain = __PILLAR__DNS__DOMAIN__.
---
> - --domain=cluster.local.
92c92
< __PILLAR__FEDERATIONS__DOMAIN__MAP__
---
> #__PILLAR__FEDERATIONS__DOMAIN__MAP__
110c110
< image: gcr . io / google_containers / k8s-dns-dnsmasq-nanny-amd64:1 . 14 . 1
---
2018-05-04 19:48:54 +08:00
> image: harbor-001.jimmysong.io/library/k8s-dns-dnsmasq-nanny-amd64:v1.14.1
2017-04-14 17:39:40 +08:00
129c129
< - --server = /__PILLAR__DNS__DOMAIN__/127.0.0.1#10053
---
> - --server=/cluster.local./127.0.0.1#10053
148c148
< image: gcr . io / google_containers / k8s-dns-sidecar-amd64:1 . 14 . 1
---
2018-05-04 19:48:54 +08:00
> image: harbor-001.jimmysong.io/library/k8s-dns-sidecar-amd64:v1.14.1
2017-04-14 17:39:40 +08:00
161,162c161,162
< - --probe = kubedns,127.0.0.1:10053,kubernetes.default.svc.__PILLAR__DNS__DOMAIN__,5,A
< - --probe = dnsmasq,127.0.0.1:53,kubernetes.default.svc.__PILLAR__DNS__DOMAIN__,5,A
---
> - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local.,5,A
> - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local.,5,A
```
+ 使用系统已经做了 RoleBinding 的 `kube-dns` ServiceAccount, 该账户具有访问 kube-apiserver DNS 相关 API 的权限;
## 执行所有定义文件
``` bash
$ pwd
/root/kubedns
$ ls *.yaml
kubedns-cm.yaml kubedns-controller.yaml kubedns-sa.yaml kubedns-svc.yaml
$ kubectl create -f .
```
## 检查 kubedns 功能
新建一个 Deployment
``` bash
2018-11-06 18:56:20 +08:00
$ cat >> my-nginx.yaml < < EOF
2017-04-14 17:39:40 +08:00
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: my-nginx
spec:
replicas: 2
template:
metadata:
labels:
run: my-nginx
spec:
containers:
- name: my-nginx
2018-05-04 19:48:54 +08:00
image: harbor-001.jimmysong.io/library/nginx:1.9
2017-04-14 17:39:40 +08:00
ports:
- containerPort: 80
2018-11-06 18:56:20 +08:00
EOF
2017-04-14 17:39:40 +08:00
$ kubectl create -f my-nginx.yaml
```
Export 该 Deployment, 生成 `my-nginx` 服务
``` bash
$ kubectl expose deploy my-nginx
$ kubectl get services --all-namespaces |grep my-nginx
default my-nginx 10.254.179.239 < none > 80/TCP 42m
```
创建另一个 Pod, 查看 `/etc/resolv.conf` 是否包含 `kubelet` 配置的 `--cluster-dns` 和 `--cluster-domain` ,是否能够将服务 `my-nginx` 解析到 Cluster IP `10.254.179.239` 。
``` bash
$ kubectl create -f nginx-pod.yaml
$ kubectl exec nginx -i -t -- /bin/bash
root@nginx:/# cat /etc/resolv.conf
nameserver 10.254.0.2
2018-05-04 19:48:54 +08:00
search default.svc.cluster.local. svc.cluster.local. cluster.local. jimmysong.io
2017-04-14 17:39:40 +08:00
options ndots:5
root@nginx:/# ping my-nginx
PING my-nginx.default.svc.cluster.local (10.254.179.239): 56 data bytes
76 bytes from 119.147.223.109: Destination Net Unreachable
^C--- my-nginx.default.svc.cluster.local ping statistics ---
root@nginx:/# ping kubernetes
PING kubernetes.default.svc.cluster.local (10.254.0.1): 56 data bytes
^C--- kubernetes.default.svc.cluster.local ping statistics ---
11 packets transmitted, 0 packets received, 100% packet loss
root@nginx:/# ping kube-dns.kube-system.svc.cluster.local
PING kube-dns.kube-system.svc.cluster.local (10.254.0.2): 56 data bytes
^C--- kube-dns.kube-system.svc.cluster.local ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss
2021-12-25 21:42:34 +08:00
从结果来看, service 名称可以正常解析。
2017-04-14 17:39:40 +08:00
```
2021-12-25 21:42:34 +08:00
**注意**:直接 ping ClusterIP 是 ping 不通的, ClusterIP 是根据 **IPtables** 路由到服务的 endpoint 上,只有结合 ClusterIP 加端口才能访问到对应的服务。